(maint) Hardening manifests and tasks

This PR aims to implement some changes that ensure no malformed commands
are passed through to the system. Certain commands were left undivided
as the commands did not get correctly interpreted.

Primarily, the commands targeted were the ones related to Open3 and exec.

Author: LukasAud

manifests/compose.pp

@@ -71,7 +71,7 @@
     }
 
     if $facts['os']['family'] == 'windows' {
-      $docker_download_command = "if (Invoke-WebRequest ${docker_compose_url} ${proxy_opt} -UseBasicParsing -OutFile \"${docker_compose_location_versioned}\") { exit 0 } else { exit 1}" # lint:ignore:140chars
+      $docker_download_command = ['if', '(Invoke-WebRequest', $docker_compose_url, $proxy_opt, '-UseBasicParsing', '-OutFile', "\"${docker_compose_location_versioned}\") { exit 0 } else { exit 1}"] # lint:ignore:140chars
 
       exec { "Install Docker Compose ${version}":
         command  => template('docker/windows/download_docker_compose.ps1.erb'),
@@ -92,7 +92,7 @@
       exec { "Install Docker Compose ${version}":
         path    => '/usr/bin/',
         cwd     => '/tmp',
-        command => "curl -s -S -L ${proxy_opt} ${docker_compose_url} -o ${docker_compose_location_versioned}",
+        command => ['curl', '-s', '-S', '-L', $proxy_opt, $docker_compose_url, '-o', $docker_compose_location_versioned],
         creates => $docker_compose_location_versioned,
         require => Package['curl'],
       }

manifests/install.pp

@@ -113,8 +113,9 @@
             }
           }
 
+          $fail_restart_command = ['SC.exe', 'failure', 'Docker', 'reset= 432000', 'actions= restart/30000/restart/60000/restart/60000']
           exec { 'service-restart-on-failure':
-            command     => 'SC.exe failure Docker reset= 432000 actions= restart/30000/restart/60000/restart/60000',
+            command     => $fail_restart_command,
             refreshonly => true,
             logoutput   => true,
             provider    => powershell,

manifests/machine.pp

@@ -56,7 +56,7 @@
     }
 
     if $facts['os']['family'] == 'windows' {
-      $docker_download_command = "if (Invoke-WebRequest ${docker_machine_url} ${proxy_opt} -UseBasicParsing -OutFile \"${docker_machine_location_versioned}\") { exit 0 } else { exit 1}" # lint:ignore:140chars
+      $docker_download_command = ['if', '(Invoke-WebRequest', $docker_machine_url, $proxy_opt, '-UseBasicParsing', '-OutFile', "\"${docker_machine_location_versioned}\") { exit 0 } else { exit 1}"] # lint:ignore:140chars
 
       exec { "Install Docker Machine ${version}":
         command  => template('docker/windows/download_docker_machine.ps1.erb'),
@@ -74,10 +74,11 @@
         ensure_packages(['curl'])
       }
 
+      $install_command = ['curl', '-s', '-S', '-L', $proxy_opt, $docker_machine_url, '-o', $docker_machine_location_versioned] # lint:ignore:140chars
       exec { "Install Docker Machine ${version}":
         path    => '/usr/bin/',
         cwd     => '/tmp',
-        command => "curl -s -S -L ${proxy_opt} ${docker_machine_url} -o ${docker_machine_location_versioned}",
+        command => $install_command,
         creates => $docker_machine_location_versioned,
         require => Package['curl'],
       }

manifests/plugin.pp

@@ -68,8 +68,8 @@
       }
     )
 
-    $exec_install   = "${docker_command} install ${docker_plugin_install_flags}"
-    $unless_install = "${docker_command} ls --format='{{.PluginReference}}' | grep -w ${plugin_name}"
+    $exec_install   = [$docker_command, 'install', $docker_plugin_install_flags]
+    $unless_install = [$docker_command, 'ls', "--format='{{.PluginReference}}' | grep -w ${plugin_name}"]
 
     exec { "plugin install ${plugin_name}":
       command     => $exec_install,
@@ -85,8 +85,8 @@
       }
     )
 
-    $exec_rm   = "${docker_command} rm ${docker_plugin_remove_flags}"
-    $onlyif_rm = "${docker_command} ls --format='{{.PluginReference}}' | grep -w ${plugin_name}"
+    $exec_rm   = [$docker_command, 'rm', $docker_plugin_remove_flags]
+    $onlyif_rm = [$docker_command, 'ls', "--format='{{.PluginReference}}' | grep -w ${plugin_name}"]
 
     exec { "plugin remove ${plugin_name}":
       command     => $exec_rm,
@@ -105,8 +105,8 @@
       }
     )
 
-    $exec_enable   = "${docker_command} enable ${docker_plugin_enable_flags}"
-    $onlyif_enable = "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"
+    $exec_enable   = [$docker_command, 'enable', $docker_plugin_enable_flags]
+    $onlyif_enable = [$docker_command, 'ls', '-f', "enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"]
 
     exec { "plugin enable ${plugin_name}":
       command     => $exec_enable,
@@ -116,12 +116,15 @@
       onlyif      => $onlyif_enable,
     }
   } elsif $enabled == false {
+    $else_command = [$docker_command, 'disable', $plugin_name]
+    $else_unless = [$docker_command, 'ls', '-f', "enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"]
+
     exec { "disable ${plugin_name}":
-      command     => "${docker_command} disable ${plugin_name}",
+      command     => $else_command,
       environment => 'HOME=/root',
       path        => ['/bin', '/usr/bin',],
       timeout     => 0,
-      unless      => "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}",
+      unless      => $else_unless,
     }
   }
 }

manifests/registry.pp

@@ -125,7 +125,7 @@
       # server may be an URI, which can contain /
       $server_strip  = regsubst($server, '[/:]', '_', 'G')
       $passfile      = "${::docker_user_temp_path}/registry-auth-puppet_receipt_${server_strip}_${local_user}"
-      $_auth_command = "if (-not (${auth_cmd})) { Remove-Item -Path ${passfile} -Force -Recurse -EA SilentlyContinue; exit 1 } else { exit 0 }" # lint:ignore:140chars
+      $_auth_command = ["if (-not (${auth_cmd}))", "{ Remove-Item -Path ${passfile}", '-Force', '-Recurse', '-EA', 'SilentlyContinue; exit 1 } else { exit 0 }'] # lint:ignore:140chars
 
       if $ensure == 'absent' {
         file { $passfile:

manifests/run.pp

@@ -373,8 +373,10 @@
   }
 
   if $restart_on_unhealthy {
+    $unhealthy_command = [$docker_command, 'restart', $sanitised_title]
+
     exec { "Restart unhealthy container ${title} with docker":
-      command     => "${docker_command} restart ${sanitised_title}",
+      command     => $unhealthy_command,
       onlyif      => $restart_check,
       environment => $exec_environment,
       path        => $exec_path,
@@ -385,18 +387,24 @@
 
   if $restart {
     if $ensure == 'absent' {
+      $restart_stop_command = [$docker_command, 'stop', "--time=${stop_wait_time}", $sanitised_title]
+      $restart_stop_onlyif = [$docker_command, 'inspect', $sanitised_title]
+
       exec { "stop ${title} with docker":
-        command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
-        onlyif      => "${docker_command} inspect ${sanitised_title}",
+        command     => $restart_stop_command,
+        onlyif      => $restart_stop_onlyif,
         environment => $exec_environment,
         path        => $exec_path,
         provider    => $exec_provider,
         timeout     => $exec_timeout,
       }
 
+      $restart_remove_command = [$docker_command, 'rm', '-v', $sanitised_title]
+      $restart_remove_onlyif = [$docker_command, 'inspect', $sanitised_title]
+
       exec { "remove ${title} with docker":
-        command     => "${docker_command} rm -v ${sanitised_title}",
-        onlyif      => "${docker_command} inspect ${sanitised_title}",
+        command     => $restart_remove_command,
+        onlyif      => $restart_remove_onlyif,
         environment => $exec_environment,
         path        => $exec_path,
         provider    => $exec_provider,
@@ -432,17 +440,19 @@
         }
 
         if $running == false {
+          $running_stop_command = [$docker_command, 'stop', "--time=${stop_wait_time}", $sanitised_title]
           exec { "stop ${title} with docker":
-            command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
+            command     => $running_stop_command,
             onlyif      => $container_running_check,
             environment => $exec_environment,
             path        => $exec_path,
             provider    => $exec_provider,
             timeout     => $exec_timeout,
           }
         } else {
+          $running_start_command = [$docker_command, 'start', $sanitised_title]
           exec { "start ${title} with docker":
-            command     => "${docker_command} start ${sanitised_title}",
+            command     => $running_start_command,
             unless      => $container_running_check,
             environment => $exec_environment,
             path        => $exec_path,
@@ -517,9 +527,12 @@
 
     if $ensure == 'absent' {
       if $facts['os']['family'] == 'windows' {
+        $absent_stop_command = [$docker_command, 'stop', "--time=${stop_wait_time}", $sanitised_title]
+        $absent_stop_onlyif = [$docker_command, 'inspect', $sanitised_title]
+
         exec { "stop container ${service_prefix}${sanitised_title}":
-          command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
-          onlyif      => "${docker_command} inspect ${sanitised_title}",
+          command     => $absent_stop_command,
+          onlyif      => $absent_stop_onlyif,
           environment => $exec_environment,
           path        => $exec_path,
           provider    => $exec_provider,
@@ -536,9 +549,12 @@
           notify    => Exec["remove container ${service_prefix}${sanitised_title}"],
         }
       }
+      $absent_remove_command = [$docker_command, 'rm', '-v', $sanitised_title]
+      $absent_remove_onlyif = [$docker_command, 'inspect', $sanitised_title]
+
       exec { "remove container ${service_prefix}${sanitised_title}":
-        command     => "${docker_command} rm -v ${sanitised_title}",
-        onlyif      => "${docker_command} inspect ${sanitised_title}",
+        command     => $absent_remove_command,
+        onlyif      => $absent_remove_onlyif,
         environment => $exec_environment,
         path        => $exec_path,
         refreshonly => true,

manifests/secrets.pp

@@ -27,8 +27,8 @@
       }
     )
 
-    $exec_secret   = "${docker_command} ${docker_secrets_flags}"
-    $unless_secret = "${docker_command} inspect ${secret_name}"
+    $exec_secret   = [$docker_command, $docker_secrets_flags]
+    $unless_secret = [$docker_command, 'inspect', $secret_name]
 
     exec { "${title} docker secret create":
       command => $exec_secret,
@@ -38,9 +38,12 @@
   }
 
   if $ensure == 'absent' {
+    $absent_secret_command = [$docker_command, 'rm', $secret_name]
+    $absent_secret_onlyif = [$docker_command, 'inspect', $secret_name]
+
     exec { "${title} docker secret rm":
-      command => "${docker_command} rm ${secret_name}",
-      onlyif  => "${docker_command} inspect ${secret_name}",
+      command => $absent_secret_command,
+      onlyif  => $absent_secret_onlyif,
       path    => ['/bin', '/usr/bin',],
     }
   }

manifests/services.pp

@@ -132,8 +132,8 @@
       }
     )
 
-    $exec_create   = "${docker_command} create --name ${docker_service_create_flags}"
-    $unless_create = "docker service ps ${service_name}"
+    $exec_create   = [$docker_command, 'create', '--name', $docker_service_create_flags]
+    $unless_create = ['docker', 'service', 'ps', "${service_name}"]
 
     exec { "${title} docker service create":
       command     => $exec_create,
@@ -163,7 +163,7 @@
       }
     )
 
-    $exec_update = "${docker_command} update ${docker_service_flags}"
+    $exec_update = [$docker_command, 'update', $docker_service_flags]
 
     exec { "${title} docker service update":
       command     => $exec_update,
@@ -182,7 +182,7 @@
       }
     )
 
-    $exec_scale = "${docker_command} scale ${service_name}=${replicas}"
+    $exec_scale = [$docker_command, 'scale', "${service_name}=${replicas}"]
 
     exec { "${title} docker service scale":
       command     => $exec_scale,
@@ -194,9 +194,12 @@
   }
 
   if $ensure == 'absent' {
+    $service_command = ['docker', 'service', 'rm', $service_name]
+    $service_onlyif = ['docker', 'service', 'ps', $service_name]
+
     exec { "${title} docker service remove":
-      command  => "docker service rm ${service_name}",
-      onlyif   => "docker service ps ${service_name}",
+      command  => $service_command,
+      onlyif   => $service_onlyif,
       path     => $exec_path,
       provider => $exec_provider,
       timeout  => $exec_timeout,

manifests/stack.pp

@@ -59,7 +59,7 @@
       }
     )
 
-    $exec_stack = "${docker_command} deploy ${docker_stack_flags} ${stack_name}"
+    $exec_stack = [$docker_command, 'deploy', $docker_stack_flags, $stack_name]
 
     exec { "docker stack create ${stack_name}":
       command  => $exec_stack,
@@ -70,8 +70,10 @@
   }
 
   if $ensure == 'absent' {
+    $destroy_command = [$docker_command, 'rm', $stack_name]
+
     exec { "docker stack destroy ${stack_name}":
-      command  => "${docker_command} rm ${stack_name}",
+      command  => $destroy_command,
       onlyif   => $check_stack,
       path     => $exec_path,
       provider => $provider,

manifests/swarm.pp

@@ -117,7 +117,7 @@
       }
     )
 
-    $exec_init = "${docker_command} ${docker_swarm_init_flags}"
+    $exec_init = [$docker_command, $docker_swarm_init_flags]
 
     exec { 'Swarm init':
       command     => $exec_init,
@@ -138,7 +138,7 @@
       }
     )
 
-    $exec_join = "${docker_command} ${docker_swarm_join_flags} ${manager_ip}"
+    $exec_join = [$docker_command, $docker_swarm_join_flags, $manager_ip]
 
     exec { 'Swarm join':
       command     => $exec_join,

spec/shared_examples/compose.rb

@@ -62,7 +62,7 @@
         is_expected.to contain_exec("Install Docker Compose #{version}").with(
           'path'    => '/usr/bin/',
           'cwd'     => '/tmp',
-          'command' => "curl -s -S -L #{proxy_opt} #{docker_compose_url} -o #{docker_compose_location_versioned}",
+          'command' => ['curl', '-s', '-S', '-L', proxy_opt, docker_compose_url, '-o', docker_compose_location_versioned],
           'creates' => docker_compose_location_versioned,
         ).that_requires(
           'Package[curl]',

spec/shared_examples/install.rb

@@ -141,7 +141,7 @@
 
       it {
         is_expected.to contain_exec('service-restart-on-failure').with(
-          'command'     => 'SC.exe failure Docker reset= 432000 actions= restart/30000/restart/60000/restart/60000',
+          'command'     => ['SC.exe', 'failure', 'Docker', 'reset= 432000', 'actions= restart/30000/restart/60000/restart/60000'],
           'refreshonly' => true,
           'logoutput'   => true,
           'provider'    => 'powershell',

spec/shared_examples/machine.rb

@@ -62,7 +62,7 @@
         is_expected.to contain_exec("Install Docker Machine #{version}").with(
           'path'    => '/usr/bin/',
           'cwd'     => '/tmp',
-          'command' => "curl -s -S -L #{proxy_opt} #{docker_machine_url} -o #{docker_machine_location_versioned}",
+          'command' => ['curl', '-s', '-S', '-L', proxy_opt, docker_machine_url, '-o', docker_machine_location_versioned],
           'creates' => docker_machine_location_versioned,
         ).that_requires(
           'Package[curl]',

spec/shared_examples/plugin.rb

@@ -24,8 +24,8 @@
       'settings'              => settings,
     )
 
-    exec_install   = "#{docker_command} install #{docker_plugin_install_flags}"
-    unless_install = "#{docker_command} ls --format='{{.PluginReference}}' | grep -w #{plugin_name}"
+    exec_install   = [docker_command, 'install', docker_plugin_install_flags]
+    unless_install = [docker_command, 'ls', "--format='{{.PluginReference}}' | grep -w #{plugin_name}"]
 
     it {
       is_expected.to contain_exec("plugin install #{plugin_name}").with(
@@ -43,8 +43,8 @@
       'force_remove' => force_remove,
     )
 
-    exec_rm   = "#{docker_command} rm #{docker_plugin_remove_flags}"
-    onlyif_rm = "#{docker_command} ls --format='{{.PluginReference}}' | grep -w #{plugin_name}"
+    exec_rm   = [docker_command, 'rm', docker_plugin_remove_flags]
+    onlyif_rm = [docker_command, 'ls', "--format='{{.PluginReference}}' | grep -w #{plugin_name}"]
 
     it {
       is_expected.to contain_exec("plugin remove #{plugin_name}").with(
@@ -64,8 +64,8 @@
       'timeout'      => timeout,
     )
 
-    exec_enable   = "#{docker_command} enable #{docker_plugin_enable_flags}"
-    onlyif_enable = "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"
+    exec_enable   = [docker_command, 'enable', docker_plugin_enable_flags]
+    onlyif_enable = [docker_command, 'ls', '-f', "enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"]
 
     it {
       is_expected.to contain_exec("plugin enable #{plugin_name}").with(
@@ -77,13 +77,16 @@
       )
     }
   else
+    else_command = [docker_command, 'disable', plugin_name]
+    else_unless = [docker_command, 'ls', '-f', "enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"]
+
     it {
       is_expected.to contain_exec("disable #{plugin_name}").with(
-        'command'     => "#{docker_command} disable #{plugin_name}",
+        'command'     => else_command,
         'environment' => 'HOME=/root',
         'path'        => ['/bin', '/usr/bin'],
         'timeout'     => 0,
-        'unless'      => "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}",
+        'unless'      => else_unless,
       )
     }
   end